IRS scans for IP restrictions set for a particular service on a Host. It combines "ARP Poisoning" and 'Half-Scan' techniques and tries totally spoofed TCP connections to the selected port of the Target. IRS is not a port Scanner but a 'valid source IP address' Scanner for a given service.

sTerm is a Telnet client with a unique feature. It can establish an entire bi-directional Telnet session to a target host never sending your real IP and MAC addresses in any packet. By using "ARP Poisoning", "MAC Spoofing" and "IP Spoofing" techniques sTerm can effectively bypass ACLs, Firewall rules and IP restrictions on servers and network devices. the connection will be done impersonating a Trusted Host.

cPfPc (Cisco PIX Firewall Password Calculator) produces the encrypted form of Cisco PIX enable mode passwords without the need to access the device.

ArpWorks is an utility for sending customized 'ARP announce' packets over the network. All ARP parameters, including the Ethernet Source MAC address (the phisical address of your network card) can be changed as you like. Other features are: IP to MAC resolver, subnet MAC discovery, host isolation, packets redirection, general IP confict.

CredDump is an utility that dumps passwords from Windows XP/2003 user's credential files and shows them in they're cleartext form.

I have seen a video tutorial on ARP poisoning with Cain and read Mao's flash tutorial. In Mao's flash tutorial he talks about redirecting traffic from an outside LAN. However, I cant find a tutorial that goes into more detail about it. Can someone tell me if there is a tutorial somewhere that has a step by step of how to make Cain work outside of your own LAN?

You can not do this because ARP is layer2 and your subnet is the only place you can router MAC addresses. You can use some of the other features in Cain over the internet but not ARP poisoning. ARP poisoning will only work in a layer2 network. The only option to go past you own LAN is if Mao figures out how to get Winpcap to work in Able and allow remote installation of Able to relay the ARP info over other subnets.

With MPLS or Metro Ethernet services it is true because it's a layer2 service by the ISP. smiler to a Layer2 VPN but the point I was trying to make was ARP poisoning works in the MAC domain your in unless you have a device to repeat or encapsulate the layer2 MAC addresses to forward them to the next network. Other issues you might see in an MPLS/Metro Ethernet service is being restricted by VLAN. I have requested Mao to find a remote (Able) solution to access other subnets with the ARP traffic and tables but to do this you will need some way to bounce or repeat the mac domain tables so Cain can alter them to force the traffic to you NIC.